Commit e926c474 authored by Daniel Vetter's avatar Daniel Vetter

drm/compat: Clear bounce structures

Some of them have gaps, or fields we don't clear. Native ioctl code
does full copies plus zero-extends on size mismatch, so nothing can
leak. But compat is more hand-rolled so need to be careful.

None of these matter for performance, so just memset.

Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those
are security holes anyway.
Acked-by: default avatarMaxime Ripard <mripard@kernel.org>
Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl
Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch
parent 19bafac4
...@@ -99,6 +99,8 @@ static int compat_drm_version(struct file *file, unsigned int cmd, ...@@ -99,6 +99,8 @@ static int compat_drm_version(struct file *file, unsigned int cmd,
if (copy_from_user(&v32, (void __user *)arg, sizeof(v32))) if (copy_from_user(&v32, (void __user *)arg, sizeof(v32)))
return -EFAULT; return -EFAULT;
memset(&v, 0, sizeof(v));
v = (struct drm_version) { v = (struct drm_version) {
.name_len = v32.name_len, .name_len = v32.name_len,
.name = compat_ptr(v32.name), .name = compat_ptr(v32.name),
...@@ -137,6 +139,9 @@ static int compat_drm_getunique(struct file *file, unsigned int cmd, ...@@ -137,6 +139,9 @@ static int compat_drm_getunique(struct file *file, unsigned int cmd,
if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32))) if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32)))
return -EFAULT; return -EFAULT;
memset(&uq, 0, sizeof(uq));
uq = (struct drm_unique){ uq = (struct drm_unique){
.unique_len = uq32.unique_len, .unique_len = uq32.unique_len,
.unique = compat_ptr(uq32.unique), .unique = compat_ptr(uq32.unique),
...@@ -265,6 +270,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd, ...@@ -265,6 +270,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd,
if (copy_from_user(&c32, argp, sizeof(c32))) if (copy_from_user(&c32, argp, sizeof(c32)))
return -EFAULT; return -EFAULT;
memset(&client, 0, sizeof(client));
client.idx = c32.idx; client.idx = c32.idx;
err = drm_ioctl_kernel(file, drm_getclient, &client, 0); err = drm_ioctl_kernel(file, drm_getclient, &client, 0);
...@@ -852,6 +859,8 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd, ...@@ -852,6 +859,8 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
if (copy_from_user(&req32, argp, sizeof(req32))) if (copy_from_user(&req32, argp, sizeof(req32)))
return -EFAULT; return -EFAULT;
memset(&req, 0, sizeof(req));
req.request.type = req32.request.type; req.request.type = req32.request.type;
req.request.sequence = req32.request.sequence; req.request.sequence = req32.request.sequence;
req.request.signal = req32.request.signal; req.request.signal = req32.request.signal;
...@@ -889,6 +898,8 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd, ...@@ -889,6 +898,8 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
struct drm_mode_fb_cmd2 req64; struct drm_mode_fb_cmd2 req64;
int err; int err;
memset(&req64, 0, sizeof(req64));
if (copy_from_user(&req64, argp, if (copy_from_user(&req64, argp,
offsetof(drm_mode_fb_cmd232_t, modifier))) offsetof(drm_mode_fb_cmd232_t, modifier)))
return -EFAULT; return -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment